32

For some reason one of my ssh keys "just broke" - it just stopped working:

$ ssh-add ./id_rsa
Error loading key "./id_rsa": invalid format

Copying the key inside a clean VM, the key does work. Even with the exact same ssh version (OpenSSH_7.8p1, OpenSSL 1.1.0i-fips 14 Aug 2018 on Fedora 28). So it must be related to some config on my system I assume.

# cat ./id_rsa
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,...

...
-----END RSA PRIVATE KEY-----

Also peculiar: GNOME somehow manages to add the key on login with seahorse. Then ssh-add -L does list the key but it is not usable:

sign_and_send_pubkey: signing failed: agent refused operation
FlorianLudwig
  • 423
  • 1
  • 4
  • 6

9 Answers9

27

I was getting the same error message when passing in the private key through a CI pipeline variable in Gitlab.

The error was caused by not having a newline character at the end of the variable and was fixed by manually adding it.

AdrianoKF
  • 371
  • 3
  • 4
  • I also had this issue from within a gitlab runner. You helped me to fix it. I don't understand this end of line issue though. – Pierre de LESPINAY Mar 25 '22 at 07:45
  • Can you describe what you mean by variable? Are you storing the key in an environment variable? I'm copying my keys into a container for Bitbucket Pipelines, which works fine locally, and encountering this problem during builds. I tried adding a newline to what becomes the private key file, but no luck. – Life5ign Oct 18 '22 at 23:15
  • Gitlab CI specifically has a feature that allows to define CI variables that will be exposed as files in the job container, with an environment variable set (with the same name as the CI variable) that holds the path to the file. I haven't used Bitbucket Pipelines before, but maybe they offer a similar feature? – AdrianoKF Oct 19 '22 at 08:06
26

Traditionally OpenSSH used the same private key format is identical to the older PEM format used by OpenSSL. (Because it uses OpenSSL for parsing the key, it will accept the newer PKCS#8 format as well.)

So the issue can be one of:

  1. Your OpenSSL version refuses to load this key format. Perhaps it has accidentally enabled FIPS mode and refuses any algorithms except those part of its original FIPS validation?

    Try loading the key into the openssl command-line tool (which, yes, might also be linked to a different libcrypto, and you should check with ldd):

    openssl rsa -noout -text < id_rsa
openssl pkey -noout -text < id_rsa

    Try converting it to PKCS#8 format:

    umask 077
openssl pkey < id_rsa > id_rsa.pkcs8
ssh-add id_rsa.pkcs8

  2. Your OpenSSH has been built without OpenSSL support. Even though ssh -V says the support was enabled, that does not automatically mean the ssh-add binary is the same – it might come from a different partial installation.

    Use type -a ssh and type -a ssh-add to compare installation locations.

    Once you know the path, use ldd /usr/bin/ssh-add to verify that it's linked to libcrypto.so (the OpenSSL cryptographic library).

If nothing works at all, try converting your key to the new OpenSSH-proprietary format using... PuTTY. Install the putty package for Fedora, and use:

puttygen id_rsa -o id_rsa.newformat -O private-openssh-new
ssh-add id_rsa.newformat

Also peculiar: GNOME somehow manages to add the key on login with seahorse.

Older GNOME Keyring versions have an internal copy of the SSH agent code and are independent from the system OpenSSH. So they will accept keys that your OpenSSH won't. (But on the other hand, this means severe lagging in terms of feature support (such as Ed25519 keys), and the latest GNOME Keyring just uses the system ssh-agent instead.)

u1686_grawity
  • 426,297
  • 64
  • 894
  • 966
  • 1
    Thanks for the lengthy answer! 1. opening the key with openssl does work: ``` openssl rsa -noout -text < id_rsa openssl pkey -noout -text < id_rsa ``` Also I have other ssh keys that have the same header and work fine. 2. converting to converting it to PKCS#8 format does work. I can use the key in PKCS#8 3. Then other keys wouldn't work, or wouldn't they? 4. Regarding GNOME, it is the current version of GNOME and it runs the OpenSSH agent (as confirmed by `ps`) --- So I do have a workaround, thanks! Still wondering WHY. What is wrong / what happened... – FlorianLudwig Oct 29 '18 at 08:40
  • Same exact thing happened to me. No manual change regarding ssh (only culprit could be the command `heroku keys:add` but that should operate on remote; is the only command regarding keys that I recently run). Regenerating the key as *pkcs8* works for me as well and restored my ability connectivity. The *invalid-format* `id_rsa.pub` last modify is dated 2018. – I quote you: `Still wondering WHY. What is wrong / what happened...` ‍♂️ – Kamafeather Jul 17 '19 at 15:39
  • Wondering if it might be related to virus infections; or to the SSD starting to die? It seriously worries me, to not know the cause. – Kamafeather Jul 17 '19 at 15:40
  • 1
    This happened to me when I upgraded to OpenSSH 8 on Windows 10. I ended up using PuTTYgen to export the private key in the new format, and it started working again. – Matt Mills Mar 04 '20 at 17:54
  • use puttygen to export key . Menu>Conversions>openssh key and save it somewhere – Dr Deo Jun 07 '20 at 13:16
  • After generating the `pkcs8` I tried `ssh -i id_rsa.pkcs8 me@there` and still couldn't connect, then I tried `ssh-add id_rsa.pkcs8` and repeated `ssh -i id_rsa.pkcs8 me@there` and it worked, which makes me wonder what the `ssh-add` is actually doing? – shortcipher3 Sep 17 '20 at 19:49
  • After removing `ssh-add -d id_rsa.pkcs8` and adding the original `ssh-add id_rsa` I was able to connect. So `ssh-add` seems to be what makes the difference for me. – shortcipher3 Sep 17 '20 at 21:02
  • It also happens if the id_rsa.pub file is missing. – Niclas Hedhman Nov 01 '20 at 18:26
11

In my case, the problem was caused by incorrect end of line characters in id_rsa file. After copying file content, Windows text editor wanted to help me and converted EOLs to CR LF.

Kamil
  • 213
  • 2
  • 8
  • 1
    Although tempting, don't use the clipboard. Copy the file using WinSCP. – woter324 Feb 25 '20 at 23:55
  • 1
    @woter324, note that as of 2020 [only 46% of developers](https://insights.stackoverflow.com/survey/2020#technology-developers-primary-operating-systems) use Windows – vladkras Jul 28 '21 at 07:53
  • After EOL Conversion, I also needed to append a new line to the end – mrjamesmyers Dec 01 '21 at 12:32
  • @vladkras While I would personally prefer never to use Windows again, I am required to. Another way to look at this statistic is that as of 2020, nearly half of developers use Windows. That makes this a very valid response in my opinion. – slbass Dec 28 '21 at 15:30
4

In my case, I just copied id_rsa private key but not the public part id_rsa.pub. It worked but complained with 'invalid format' each time I did server operations. Copying id_rsa.pub as well solved the problem.

Ilya Palopezhentsev
  • 141
  • 3
  • 1
    This solution fixed for me – Skatox Jul 14 '20 at 04:03
  • @Ilya P did you add them to their own `.ssh` directory? I did this, but added them to `/root` (which has `0700` permissions as required by ssh), and it didn't work. Of course, this all works locally, but doesn't work in Bitbucket Pipelines, where I'm seeing the error. – Life5ign Oct 18 '22 at 23:14
2

I recently had this problem, and in my case it was due to having an invalid certificate (i.e. $HOME/.ssh/id_rsa-cert.pub), which confusingly gave this same error even though my private key was still valid and SSH continued to work.

It was fixed by either removing the invalid (in my case, zero-sized) cert file, or replacing it with a valid certificate, as the case may be.

Jake McGinty
  • 21
  • 3
2

In my case, on Windows, the solution was to use the Puttygen option Conversions > Export SSH key (force new file format)

cja
  • 183
  • 1
  • 1
  • 8
0

Oh boy, just went through doing this for a team member... and the problem proved to be puttygen not doing things the nice way. I was finally able to fix it by using Windows Powershell and the command:

ssh-keygen -t rsa

it was an instant fix !

jkmartindale
  • 434
  • 1
  • 4
  • 11
AlexD
  • 228
  • 2
  • 4
  • 1
    with this command you are creating a new key. The problem is that the current key is valid but the system trying to use complains about the format – Purefan Oct 26 '21 at 21:26
0

I was struggling with this issue and it ended up being extra newlines before and after the
-----BEGIN RSA PRIVATE KEY----- and -----END RSA PRIVATE KEY----- lines respectively; removing them fixed it and now works fine.

hernandanielg@laptop:~$ diff -c id_rsa .ssh/id_rsa

  *** id_rsa    2022-04-26 06:41:51.650982783 -0500
  --- .ssh/id_rsa   2022-04-26 06:39:47.971676083 -0500
  ***************
  *** 1,5 ****
    -----BEGIN RSA PRIVATE KEY-----
  - 
    Proc-Type: 4,ENCRYPTED
    
  --- 1,4 ----
  ***************
  *** 52,56 ****
    somehash
  - 
    -----END RSA PRIVATE KEY-----
  --- 51,54 ----
JW0914
  • 7,052
  • 7
  • 27
  • 48
Hernan Garcia
  • 111
  • 4
0

Because I come back to this question and often forget what to do on a Mac. You can also run: ssh-add --apple-use-keychain {path_to_ssh_key} to get the error: Load key ... invalid format? git error fixed.

Naz
  • 133
  • 6
  • Your answer could be improved with additional supporting information. Please [edit] to add further details, such as citations or documentation, so that others can confirm that your answer is correct. You can find more information on how to write good answers [in the help center](/help/how-to-answer). – Community Jun 05 '23 at 07:28